I'm wondering how a backdoor in a random-number generator (as rumored the NSA have placed), actually compromises the security of things like VPNs or TSL/SSL.

What I understand is that, if such a backdoor exists, then after observing a certain number of pseudorandom bits, the attacker can then predict the rest of the pseudorandom sequence.

Can someone walk through the steps of how this allows an attacker to actually read encrypted packets? For example, how would an attacker get access to the first N random bits of a pseudo-randomly generated key in the first place. Is the problem that any random key is effectively only N bits long because if an attacker guesses the first N correctly, he can generate the rest of the key using the backdoor? Or is it something more complicated.

@HenrickHellström Thanks for the article, but it doesn't seem explain how a backdoor in the RNG could be used to actually break any encryption protocols.
–
user11022Dec 22 '13 at 4:15

2

"Can someone walk through the steps of how this allows an attacker to actually read encrypted packets?" comes pretty close to being off-topic, because a practical step-by-step walk-through of how an attacker can intercept and decrypt packets would quickly become a how-to-hack manual. Besides, if anywhere, such security questions about packet interception would belong on Security.SE… but I doubt you'll get a practical walk through on How-To-Intercept-And-Reverse-Engineer-Encrypted-Packets there either.
–
e-sushiDec 22 '13 at 6:17

@e-sushi I am certainly not asking for a "how to hack" manual. Just want to clarify in more detail why a backdoor in an RNG is such a big deal. For example, the Schneier article from the first comment says "To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol." That doesn't seem obvious to me, although thanks to the answer below I understand better.
–
user11022Dec 22 '13 at 19:05

Each fail weakens things. A backdoor in a random number generator is like actively implementing such a fail, introducing possible ways to lower the security of the random number generator since it becomes less random.

It it's not as if a backdoor in a random number generator always directly breaks things like SSL, but they can have the ability to. The real problem is that a well constructed backdoor is near to undetectable, while allowing an attacker to take security shortcuts that wouldn't be available normally. And that would happen without the person using the RNG for security purposes noticing the backdoor.

Imagine using such a backdoor to seed something... it would look perfectly random to you, but the one who implemented the backdoor might be able to recover the whole state of the RNG by just looking at - let's say - 32 bits. That would mean you're in big-big trouble. Now imagine you feel good, safe and secure because you aren't aware of a backdoor lurking behind the screens... get a creepy feeling? Good!

Practically describing it all would be too broad, and giving you a walk-trough would be too long and too technically detailed... but if you want to learn a bit more generally why a backdoor in an RNG might be a real security issue, you could read a bit about it in "The Many Flaws of Dual_EC_DRBG " which talks about a prominent, recent backdoor in an RNG and shows what practical impacts it would have had on cryptographic implementations:

If I use the Dual-EC PRG to generate the "Client Random" nonce transmitted in the beginning of an SSL connection, then the NSA will be able to predict the "Pre-Master" secret that I'm going to generate during the RSA handshake. Given this information the connection is now a cleartext read. This is not good.

Thanks for the answer and the link. So if understand the SSL example correctly, the problem would be if the client's machine is using Dual-EC, since the client and not the server sends the encrypted pre-master secret. But that is a good clarifying example. I imagine that is not the only example or a protocol where the same RNG might be used to generate both public and private random bits, and so the public random bits could be used to figure out the private ones.
–
user11022Dec 22 '13 at 19:00

@user11022 Right. After you've finished reading the linked article, you'll probably understand the real impact a backdoor like the one they discovered in Dual-EC might have. Such a backdoor would actually influence every crypto which relies on that RNG and things can get pretty ugly with such backdoors, but let's not think about that a few days before Christmas.
–
user11040Dec 22 '13 at 19:05

I guess the "good news" would be that I could protect myself by making sure that my computers don't use Dual-EC, because, at least in the case of TSL/SSL, the RNG on the server doesn't really matter.
–
user11022Dec 22 '13 at 19:13